The
Office of Management and Budget is finalizing new cybersecurity guidance, the
first major policy in more than three years.

Industry and government sources confirm OMB Director Sylvia Burwell is
reviewing the new policy that would tell agencies how to implement federal
information system continuous monitoring (FISCM).

Notice the change here — it's no longer just continuous monitoring, but OMB
is clarifying what agencies will continuously monitor. In this case, it's only
federal systems or the dot-gov network.

Several sources confirmed that OMB had the document ready to go a few weeks ago,
but senior officials expressed concern over the term "continuous monitoring"
without a modifier. Call it fallout from the Edward Snowden situation.

Sources say OMB pulled the memo back from being published and re-reviewed it to
specifically address any concerns over what types of systems and information
agencies will monitor.

Industry and government sources applauded OMB's foresight into this situation.
Those in the general media and public who are under-educated about what continuous
monitoring means and how it works could have caused a huge uproar over something
that is fairly benign.

Sources say OMB adopted the information system continuous monitoring designation
from the National Institute of Standards and Technology's Special Publication 800-
137, which helps agencies develop and implement a continuous monitoring program.

Of course, a change like that flows down several layers and into other policies
and standards, which is a major reason for the delay in releasing the new policy.

Sources say the policy is fairly long, more than 10 pages, and addresses all
aspects of implementing FISCM.

OMB will release the policy just as the Homeland Security is getting its blanket
purchase agreement for continuous diagnostic and monitoring services up and
running.

DHS awarded the contract to 17
vendors in early August. The vendors will provide tools, hardware and software to
implement continuous-monitoring-as-a-service (CMaaS).

Suzanne Spaulding, the nominee to be DHS's under secretary of the National
Protection and Programs Directorate (NPPD), testified last
week during her nomination hearing that the CDM program faces budget and
legislative hurdles. A DHS official said after the hearing that all 23 civilian
CFO Act agencies have signed agreements to implement continuous monitoring.

And
speaking of cybersecurity, there has been a lot of focus — and vendor
pitches — about what would happen to agency system security during the
shutdown.

Federal Chief Information Officer and acting Deputy Director for Management at OMB
Steve VanRoekel even gave The Wall Street Journal an interview on the
potential cyber problems created by the government shutdown.

But is there really any increased risk to federal systems?

Several cyber experts with years of experience in the federal market say, it's all
a bunch of hooey — a technical term I'm told.

One small agency chief information officer said they asked staff before the
shutdown what systems were absolutely essential and the skeleton staff is
monitoring only those applications actively.

But the CIO, who requested anonymity so they could speak to the press, also said
the chief information security officer and other key security federal employees at
their agency are essential employees, and all contractors running their network
operations center (NOC) are at work during the shutdown. The CIO said their agency
ensured there was enough funding under the contract to keep the NOC running at
least through the end of October.

As for those systems that were not deemed vital, the NOC still is paying close
attention and will fix any cyber vulnerabilities. But the CIO said if a server
fails or if the application needs updating that is unrelated to cybersecurity,
that may have to wait until after the shutdown.

Another industry cyber expert said agencies keep the most talented and important
cybersecurity employees on during the shutdown.

"You actually get a glorious understanding of who matters and what you can do
without during the shutdown," said the industry expert, who requested anonymity in
order to speak more candidly. "The guys running the systems do know who is good
and who isn't, but it doesn't do them any good to tell people during a non-
shutdown time."